@go-to-k/cdkd 0.45.0 → 0.46.1

package/dist/cli.js

@@ -8510,6 +8510,31 @@ function matchesCdkPath(tags, cdkPath) {
   }
   return false;
 }
+function normalizeAwsTagsToCfn(tags) {
+  if (!tags)
+    return [];
+  const out = [];
+  if (Array.isArray(tags)) {
+    for (const t of tags) {
+      const obj = t;
+      const k = (typeof obj["Key"] === "string" ? obj["Key"] : void 0) ?? (typeof obj["TagKey"] === "string" ? obj["TagKey"] : void 0) ?? (typeof obj["key"] === "string" ? obj["key"] : void 0);
+      const v = (typeof obj["Value"] === "string" ? obj["Value"] : void 0) ?? (typeof obj["TagValue"] === "string" ? obj["TagValue"] : void 0) ?? (typeof obj["value"] === "string" ? obj["value"] : void 0);
+      if (typeof k !== "string" || k.length === 0)
+        continue;
+      if (k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  } else {
+    for (const [k, v] of Object.entries(tags)) {
+      if (!k || k.startsWith("aws:"))
+        continue;
+      out.push({ Key: k, Value: typeof v === "string" ? v : "" });
+    }
+  }
+  out.sort((a, b) => a.Key < b.Key ? -1 : a.Key > b.Key ? 1 : 0);
+  return out;
+}
 
 // src/provisioning/providers/iam-role-provider.ts
 var IAMRoleProvider = class {
@@ -9069,9 +9094,10 @@ var IAMRoleProvider = class {
    *    costs one extra `GetRolePolicy` per inline policy. Out of scope for
    *    v1 — drift detection on inline IAM policy bodies can ship in a
    *    follow-up.
-   *  - `Tags` is omitted for the same reason as Lambda's tags handling
-   *    (CDK auto-injects `aws:cdk:path` and the shape decision belongs in a
-   *    dedicated tags PR).
+   *  - `Tags` is surfaced via `ListRoleTags` (paginated). CDK's `aws:*`
+   *    auto-tags are filtered out by `normalizeAwsTagsToCfn` so they don't
+   *    fire false-positive drift; the result key is omitted entirely when
+   *    AWS reports no user tags (matches `create()`'s behavior).
    *
    * Returns `undefined` when the role is gone (`NoSuchEntityException`).
    */
@@ -9121,8 +9147,46 @@ var IAMRoleProvider = class {
       if (!(err instanceof NoSuchEntityException))
         throw err;
     }
+    try {
+      const collected = [];
+      let marker;
+      while (true) {
+        const tagsResp = await this.iamClient.send(
+          new ListRoleTagsCommand({
+            RoleName: physicalId,
+            ...marker ? { Marker: marker } : {}
+          })
+        );
+        if (tagsResp.Tags) {
+          for (const t of tagsResp.Tags) {
+            collected.push({ Key: t.Key, Value: t.Value });
+          }
+        }
+        if (!tagsResp.IsTruncated)
+          break;
+        marker = tagsResp.Marker;
+      }
+      const tags = normalizeAwsTagsToCfn(collected);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof NoSuchEntityException))
+        throw err;
+    }
     return result;
   }
+  /**
+   * `Policies` (inline policy bodies) are intentionally omitted from
+   * `readCurrentState`: surfacing the names without bodies would
+   * guarantee a `PolicyDocument`-shaped drift on every role, and
+   * fetching every body costs one extra `GetRolePolicy` per inline
+   * policy. Tell the drift comparator to skip the whole subtree until a
+   * dedicated PR adds proper inline-policy drift via per-name
+   * `GetRolePolicy`.
+   */
+  getDriftUnknownPaths() {
+    return ["Policies"];
+  }
   /**
    * Adopt an existing IAM role into cdkd state.
    *
@@ -12126,14 +12190,9 @@ var S3BucketProvider = class {
     }
     try {
       const resp = await this.s3Client.send(new GetBucketTaggingCommand({ Bucket: physicalId }));
-      if (resp.TagSet && resp.TagSet.length > 0) {
-        const tags = resp.TagSet.filter((t) => t.Key && !t.Key.startsWith("aws:")).map((t) => ({
-          Key: t.Key,
-          Value: t.Value
-        }));
-        if (tags.length > 0)
-          result["Tags"] = tags;
-      }
+      const tags = normalizeAwsTagsToCfn(resp.TagSet);
+      if (tags.length > 0)
+        result["Tags"] = tags;
     } catch (err) {
       const e = err;
       if (e.name !== "NoSuchTagSet") {
@@ -12742,9 +12801,11 @@ var SQSQueueProvider = class {
    * `QueueName` is derived from the URL tail (the `physicalId` is the
    * queue URL), not surfaced by `GetQueueAttributes`.
    *
-   * `Tags` is omitted: `ListQueueTags` is a separate call and tag drift is
-   * generally less interesting than configuration drift; the `aws:cdk:path`
-   * shape question is also out of scope here.
+   * `Tags` is surfaced via `ListQueueTags` (returns a tag-name → value map).
+   * CDK's `aws:*` auto-tags are filtered out by `normalizeAwsTagsToCfn`; the
+   * result key is omitted entirely when AWS reports no user tags (matches
+   * `create()`'s behavior of only sending Tags when the template carries
+   * them).
    *
    * Returns `undefined` when the queue is gone (`QueueDoesNotExist`).
    */
@@ -12812,6 +12873,18 @@ var SQSQueueProvider = class {
         result["RedrivePolicy"] = attributes["RedrivePolicy"];
       }
     }
+    try {
+      const tagsResp = await this.sqsClient.send(
+        new ListQueueTagsCommand({ QueueUrl: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof QueueDoesNotExist)
+        return void 0;
+      throw err;
+    }
     return result;
   }
   /**
@@ -13431,11 +13504,16 @@ var SNSTopicProvider = class {
    * `TopicName` is derived from the ARN tail (the `physicalId` is the
    * topic ARN).
    *
-   * `Tags` and `DeliveryStatusLogging` are intentionally omitted:
-   * `ListTagsForResource` is a separate call, and `DeliveryStatusLogging`
-   * fans out into per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`,
-   * etc.) whose round-trip back to the CFn array shape needs more thought
-   * than fits in this PR.
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call. CDK's
+   * `aws:*` auto-tags are filtered out by `normalizeAwsTagsToCfn`; the
+   * result key is omitted entirely when AWS reports no user tags (matches
+   * `create()`'s behavior of only sending Tags when the template carries
+   * them).
+   *
+   * `DeliveryStatusLogging` is intentionally omitted: it fans out into
+   * per-protocol attributes (`{Protocol}SuccessFeedbackRoleArn`, etc.) whose
+   * round-trip back to the CFn array shape needs more thought than fits in
+   * this PR.
    *
    * `Subscription` is omitted because CDK manages it via separate
    * `AWS::SNS::Subscription` resources, not as a Topic property.
@@ -13488,8 +13566,32 @@ var SNSTopicProvider = class {
         }
       }
     }
+    try {
+      const tagsResp = await this.snsClient.send(
+        new ListTagsForResourceCommand({ ResourceArn: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof NotFoundException)
+        return void 0;
+      throw err;
+    }
     return result;
   }
+  /**
+   * `DeliveryStatusLogging` fans out to per-protocol attributes
+   * (`{Protocol}SuccessFeedbackRoleArn` etc.) whose round-trip back to the
+   * CFn array shape is not yet implemented; `Subscription` is managed via
+   * separate `AWS::SNS::Subscription` resources rather than the Topic
+   * itself. Both are absent from `readCurrentState`, so tell the drift
+   * comparator to skip them and avoid the guaranteed false-positive that
+   * would fire on every clean run when the user did template either.
+   */
+  getDriftUnknownPaths() {
+    return ["DeliveryStatusLogging", "Subscription"];
+  }
   /**
    * Adopt an existing SNS topic into cdkd state.
    *
@@ -14691,11 +14793,13 @@ var LambdaFunctionProvider = class {
    * function's `CodeSha256` does live in `GetFunction` but is not what
    * cdkd's `Code: { S3Bucket, S3Key }` state property carries).
    *
-   * `Tags` is omitted as well: `GetFunction` returns Tags as an object map,
-   * while CFn / cdkd state holds them as `[{Key, Value}]`. Re-shaping
-   * accurately requires deciding how to handle the auto-injected
-   * `aws:cdk:path` tag, which is out of scope for this PR. Tag drift is
-   * typically less interesting than configuration drift.
+   * `Tags` is surfaced from the `Tags` map on the same `GetFunction`
+   * response. CDK's auto-injected `aws:cdk:*` tags (which AWS happily
+   * returns) are filtered out by `normalizeAwsTagsToCfn` so they don't
+   * fire false-positive drift against state. The result key is omitted
+   * entirely when AWS reports no user tags, matching `create()`'s
+   * behavior of only sending `Tags` when the user explicitly passes
+   * them.
    *
    * Returns `undefined` when the function is gone (`ResourceNotFoundException`).
    */
@@ -14753,6 +14857,9 @@ var LambdaFunctionProvider = class {
         if (Object.keys(vpc).length > 0)
           result["VpcConfig"] = vpc;
       }
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException)
@@ -14760,6 +14867,17 @@ var LambdaFunctionProvider = class {
       throw err;
     }
   }
+  /**
+   * `Code: { S3Bucket, S3Key }` is set on create / update but `GetFunction`
+   * only returns a pre-signed URL for the deployed code, never the original
+   * asset key — so a state-recorded `Code` value can never match an
+   * AWS-current snapshot. Tell the drift comparator to skip the whole
+   * `Code` subtree to avoid the guaranteed false-positive that would fire
+   * on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["Code"];
+  }
   /**
    * Adopt an existing Lambda function into cdkd state.
    *
@@ -15903,6 +16021,16 @@ var LambdaLayerVersionProvider = class {
     }
     return result;
   }
+  /**
+   * `Content: { S3Bucket, S3Key }` is set on create but
+   * `GetLayerVersionByArn` only returns a pre-signed URL for the deployed
+   * content — the original asset key is unrecoverable. Tell the drift
+   * comparator to skip the whole `Content` subtree to avoid the guaranteed
+   * false-positive that would fire on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["Content"];
+  }
   /**
    * Adopt an existing Lambda layer version into cdkd state.
    *
@@ -16235,10 +16363,12 @@ var DynamoDBTableProvider = class {
    *
    * Returns `undefined` when the table is gone (`ResourceNotFoundException`).
    *
-   * Tags are intentionally omitted: `ListTagsOfResource` is a separate call
-   * and tag drift is generally less interesting than table-config drift;
-   * including it would also force a tag-shape decision on the
-   * `aws:cdk:path` auto-tag, which is out of scope here.
+   * Tags are surfaced via a follow-up `ListTagsOfResource` call (DynamoDB
+   * doesn't include tags in `DescribeTable`). CDK's `aws:*` auto-tags are
+   * filtered out by `normalizeAwsTagsToCfn` so they don't fire false-positive
+   * drift, and the result key is omitted entirely when AWS reports no user
+   * tags (matches `create()`'s behavior of only sending Tags when the
+   * template carries them).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     try {
@@ -16295,6 +16425,20 @@ var DynamoDBTableProvider = class {
       if (table.TableClassSummary?.TableClass) {
         result["TableClass"] = table.TableClassSummary.TableClass;
       }
+      if (table.TableArn) {
+        try {
+          const tagsResp = await this.dynamoDBClient.send(
+            new ListTagsOfResourceCommand({ ResourceArn: table.TableArn })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException6)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException6)
@@ -16616,11 +16760,16 @@ var LogsLogGroupProvider = class {
    * `RetentionInDays`).
    *
    * Coverage: `LogGroupName`, `KmsKeyId`, `RetentionInDays`,
-   * `LogGroupClass`. Other handledProperties (`DataProtectionPolicy`,
-   * `Tags`, `FieldIndexPolicies`, `ResourcePolicyDocument`,
+   * `LogGroupClass`, `Tags`. Other handledProperties (`DataProtectionPolicy`,
+   * `FieldIndexPolicies`, `ResourcePolicyDocument`,
    * `DeletionProtectionEnabled`, `BearerTokenAuthenticationEnabled`) need
    * their own per-property API call and are out of scope for v1.
    *
+   * Tags are read via `ListTagsForResource` (using the log-group ARN from
+   * the same `DescribeLogGroups` response). CDK's `aws:*` auto-tags are
+   * filtered out so they don't fire false-positive drift; the result key is
+   * omitted entirely when AWS reports no user tags.
+   *
    * Returns `undefined` when the log group is gone.
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
@@ -16641,6 +16790,21 @@ var LogsLogGroupProvider = class {
       }
       if (found.logGroupClass !== void 0)
         result["LogGroupClass"] = found.logGroupClass;
+      if (found.arn) {
+        const arnForTags = found.arn.replace(/:\*$/, "");
+        try {
+          const tagsResp = await this.logsClient.send(
+            new ListTagsForResourceCommand2({ resourceArn: arnForTags })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException7)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException7)
@@ -17010,6 +17174,20 @@ var CloudWatchAlarmProvider = class {
     if (alarm.Metrics && alarm.Metrics.length > 0) {
       result["Metrics"] = alarm.Metrics.map((m) => m);
     }
+    if (alarm.AlarmArn) {
+      try {
+        const tagsResp = await this.cloudWatchClient.send(
+          new ListTagsForResourceCommand3({ ResourceARN: alarm.AlarmArn })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        this.logger.debug(
+          `CloudWatch ListTagsForResource(${alarm.AlarmArn}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
     return result;
   }
   async import(input) {
@@ -17348,8 +17526,10 @@ var SecretsManagerSecretProvider = class {
    *     call to avoid surfacing plaintext through drift). Cdkd state holds
    *     the user-supplied string verbatim; comparing against AWS would
    *     require pulling the value, so this is deliberately deferred.
-   *   - `Tags`: `DescribeSecret` returns Tags, but the auto-injected
-   *     `aws:cdk:path` tag-shape question is out of scope here.
+   *
+   * `Tags` is surfaced from the same `DescribeSecret` response (no extra
+   * round-trip). CDK's `aws:*` auto-tags are filtered out; the result key
+   * is omitted entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the secret is gone (`ResourceNotFoundException`).
    */
@@ -17374,6 +17554,9 @@ var SecretsManagerSecretProvider = class {
           return out;
         });
       }
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException8)
@@ -17381,6 +17564,16 @@ var SecretsManagerSecretProvider = class {
       throw err;
     }
   }
+  /**
+   * `SecretString` and `GenerateSecretString` are set on create but
+   * `DescribeSecret` does not return the secret value (that lives behind
+   * `GetSecretValue`, which we deliberately never call to avoid surfacing
+   * plaintext through drift). Tell the drift comparator to skip both keys
+   * so they don't fire guaranteed false-positive drift on every clean run.
+   */
+  getDriftUnknownPaths() {
+    return ["SecretString", "GenerateSecretString"];
+  }
   /**
    * Adopt an existing Secrets Manager secret into cdkd state.
    *
@@ -17660,12 +17853,12 @@ var SSMParameterProvider = class {
    * metadata (`Description`, `AllowedPattern`, `Tier`) that `GetParameter`
    * does not return.
    *
-   * `Name` is set to the physical id. `Tags` and `Policies` are intentionally
-   * out of scope (`Tags` requires a separate `ListTagsForResource` round-trip
-   * and the auto-injected `aws:cdk:path` tag-shape question is unresolved;
-   * `Policies` is returned by `DescribeParameters.Policies` as a structured
-   * array but cdkd state holds the raw JSON string the user typed — comparing
-   * the two accurately needs more work).
+   * `Name` is set to the physical id. `Tags` is surfaced via a follow-up
+   * `ListTagsForResource(ResourceType=Parameter)` call, with CDK's `aws:*`
+   * auto-tags filtered out. `Policies` is intentionally out of scope:
+   * `DescribeParameters.Policies` returns a structured array but cdkd state
+   * holds the raw JSON string the user typed — comparing the two accurately
+   * needs more work.
    *
    * **Note**: For `SecureString` parameters, AWS returns the encrypted
    * blob in `Value` (we pass `WithDecryption: false`). cdkd state usually
@@ -17717,6 +17910,18 @@ var SSMParameterProvider = class {
       }
     } catch {
     }
+    try {
+      const tagsResp = await this.ssmClient.send(
+        new ListTagsForResourceCommand4({
+          ResourceType: "Parameter",
+          ResourceId: physicalId
+        })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch {
+    }
     return result;
   }
   /**
@@ -18060,8 +18265,10 @@ var EventBridgeRuleProvider = class {
    * it as the user typed it, typically an object), `ScheduleExpression`,
    * `State`, `RoleArn`, `Targets` (CFn shape `[{Id, Arn, ...}]`).
    *
-   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope here).
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call (using the
+   * rule ARN — the same `physicalId` cdkd state holds). CDK's `aws:*`
+   * auto-tags are filtered out; the result key is omitted entirely when AWS
+   * reports no user tags.
    *
    * Returns `undefined` when the rule is gone (`ResourceNotFoundException`).
    */
@@ -18119,6 +18326,18 @@ var EventBridgeRuleProvider = class {
         throw err;
       }
     }
+    try {
+      const tagsResp = await this.eventBridgeClient.send(
+        new ListTagsForResourceCommand5({ ResourceARN: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof ResourceNotFoundException9)) {
+        throw err;
+      }
+    }
     return result;
   }
   /**
@@ -18489,10 +18708,13 @@ var EventBridgeBusProvider = class {
    * the user typed it, which may be either an object or a string — the
    * comparator handles either side).
    *
-   * `Tags` and `EventSourceName` are intentionally omitted: tags require a
-   * separate `ListTagsForResource` round-trip and the auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope; `EventSourceName`
-   * is set at create time only and not surfaced by `DescribeEventBus`.
+   * `Tags` is surfaced via a follow-up `ListTagsForResource` call (using the
+   * bus ARN from the same `DescribeEventBus` response). CDK's `aws:*`
+   * auto-tags are filtered out; the result key is omitted when AWS reports
+   * no user tags.
+   *
+   * `EventSourceName` is intentionally omitted: it is set at create time
+   * only and not surfaced by `DescribeEventBus`.
    *
    * Returns `undefined` when the bus is gone (`ResourceNotFoundException`).
    */
@@ -18520,6 +18742,20 @@ var EventBridgeBusProvider = class {
           result["Policy"] = resp.Policy;
         }
       }
+      if (resp.Arn) {
+        try {
+          const tagsResp = await this.eventBridgeClient.send(
+            new ListTagsForResourceCommand6({ ResourceARN: resp.Arn })
+          );
+          const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+          if (tags.length > 0)
+            result["Tags"] = tags;
+        } catch (err) {
+          if (err instanceof ResourceNotFoundException10)
+            return void 0;
+          throw err;
+        }
+      }
       return result;
     } catch (err) {
       if (err instanceof ResourceNotFoundException10)
@@ -22818,6 +23054,9 @@ var ApiGatewayV2Provider = class {
       }
       if (resp.CorsConfiguration)
         result["CorsConfiguration"] = resp.CorsConfiguration;
+      const tags = normalizeAwsTagsToCfn(resp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
       return result;
     } catch (err) {
       if (err instanceof NotFoundException4)
@@ -24268,8 +24507,9 @@ var StepFunctionsProvider = class {
    * time and not surfaced by `DescribeStateMachine` (the response carries
    * the already-substituted definition).
    *
-   * `Tags` is omitted (separate `ListTagsForResource` round-trip; auto-injected
-   * `aws:cdk:path` tag-shape question is out of scope here).
+   * `Tags` is surfaced via a follow-up `ListTagsForResource(arn)` call.
+   * CDK's `aws:*` auto-tags are filtered out; the result key is omitted
+   * entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the state machine is gone (`StateMachineDoesNotExist`).
    */
@@ -24337,6 +24577,17 @@ var StepFunctionsProvider = class {
       if (Object.keys(ec).length > 0)
         result["EncryptionConfiguration"] = ec;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand8({ resourceArn: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (!(err instanceof StateMachineDoesNotExist))
+        throw err;
+    }
     return result;
   }
   /**
@@ -25178,8 +25429,11 @@ var ECSProvider = class {
    *   - `AWS::ECS::TaskDefinition` → `DescribeTaskDefinition`
    *
    * Each branch surfaces only the keys cdkd's `create()` accepts, mapping
-   * the SDK's camelCase to CFn PascalCase. Tags are intentionally omitted
-   * (separate `ListTagsForResource` round-trip).
+   * the SDK's camelCase to CFn PascalCase. Tags are surfaced via
+   * `DescribeClusters/Services(include=[TAGS])` for cluster / service, and
+   * via `DescribeTaskDefinition(include=[TAGS])` for task definitions —
+   * with CDK's `aws:*` auto-tags filtered out. Tag-result keys are omitted
+   * when AWS reports no user tags.
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -25197,7 +25451,7 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeClustersCommand({ clusters: [physicalId] })
+        new DescribeClustersCommand({ clusters: [physicalId], include: ["TAGS"] })
       );
     } catch {
       return void 0;
@@ -25220,6 +25474,9 @@ var ECSProvider = class {
         Value: s.value
       }));
     }
+    const tags = normalizeAwsTagsToCfn(c.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readCurrentStateService(physicalId) {
@@ -25231,7 +25488,11 @@ var ECSProvider = class {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeServicesCommand({ cluster: clusterArn, services: [serviceName] })
+        new DescribeServicesCommand({
+          cluster: clusterArn,
+          services: [serviceName],
+          include: ["TAGS"]
+        })
       );
     } catch {
       return void 0;
@@ -25284,13 +25545,16 @@ var ECSProvider = class {
     if (s.serviceRegistries && s.serviceRegistries.length > 0) {
       result["ServiceRegistries"] = s.serviceRegistries;
     }
+    const tags = normalizeAwsTagsToCfn(s.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readCurrentStateTaskDefinition(physicalId) {
     let resp;
     try {
       resp = await this.getClient().send(
-        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId })
+        new DescribeTaskDefinitionCommand({ taskDefinition: physicalId, include: ["TAGS"] })
       );
     } catch {
       return void 0;
@@ -25333,6 +25597,9 @@ var ECSProvider = class {
     if (td.containerDefinitions && td.containerDefinitions.length > 0) {
       result["ContainerDefinitions"] = td.containerDefinitions;
     }
+    const tags = normalizeAwsTagsToCfn(resp.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   /**
@@ -25961,8 +26228,11 @@ var ELBv2Provider = class {
    *  - `Listener` → `DescribeListeners` (LoadBalancerArn, Certificates,
    *    DefaultActions, Port, Protocol, SslPolicy).
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`*NotFoundException`).
+   * Tags are surfaced via a follow-up `DescribeTags(ResourceArns=[arn])`
+   * for all three types (the `physicalId` cdkd state holds is the ARN).
+   * CDK's `aws:*` auto-tags are filtered out and the result key is omitted
+   * when AWS reports no user tags. Returns `undefined` when the resource
+   * is gone (`*NotFoundException`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -26009,6 +26279,7 @@ var ELBv2Provider = class {
       result["Type"] = lb.Type;
     if (lb.IpAddressType !== void 0)
       result["IpAddressType"] = lb.IpAddressType;
+    await this.attachTags(result, physicalId);
     return result;
   }
   async readTargetGroup(physicalId) {
@@ -26067,6 +26338,7 @@ var ELBv2Provider = class {
       if (Object.keys(matcher).length > 0)
         result["Matcher"] = matcher;
     }
+    await this.attachTags(result, physicalId);
     return result;
   }
   async readListener(physicalId) {
@@ -26108,8 +26380,23 @@ var ELBv2Provider = class {
         (a) => a
       );
     }
+    await this.attachTags(result, physicalId);
     return result;
   }
+  /** Best-effort tag fetch via `DescribeTags(ResourceArns=[arn])`. */
+  async attachTags(result, arn) {
+    try {
+      const resp = await this.getClient().send(new DescribeTagsCommand({ ResourceArns: [arn] }));
+      const tagDesc = resp.TagDescriptions?.[0];
+      const tags = normalizeAwsTagsToCfn(tagDesc?.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ELBv2 DescribeTags(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   /**
    * Adopt an existing ELBv2 LoadBalancer or TargetGroup into cdkd state.
    *
@@ -26864,8 +27151,10 @@ var RDSProvider = class {
    *
    * Each branch surfaces only the keys cdkd's `create()` accepts. Sensitive
    * fields like `MasterUserPassword` are NEVER surfaced (RDS does not return
-   * them in the Describe responses). `Tags` are intentionally omitted
-   * (separate `ListTagsForResource` round-trip).
+   * them in the Describe responses). `Tags` are surfaced via a follow-up
+   * `ListTagsForResource(ResourceName=arn)` call (RDS uses `[{Key, Value}]`
+   * shape). CDK's `aws:*` auto-tags are filtered out; the result key is
+   * omitted entirely when AWS reports no user tags.
    *
    * Returns `undefined` when the resource is gone (`*NotFoundFault`).
    */
@@ -26909,6 +27198,8 @@ var RDSProvider = class {
     if (inst.PubliclyAccessible !== void 0) {
       result["PubliclyAccessible"] = inst.PubliclyAccessible;
     }
+    if (inst.DBInstanceArn)
+      await this.attachTags(result, inst.DBInstanceArn);
     return result;
   }
   async readCurrentStateDBCluster(physicalId) {
@@ -26965,6 +27256,8 @@ var RDSProvider = class {
       if (Object.keys(sc).length > 0)
         result["ServerlessV2ScalingConfiguration"] = sc;
     }
+    if (cluster.DBClusterArn)
+      await this.attachTags(result, cluster.DBClusterArn);
     return result;
   }
   async readCurrentStateDBSubnetGroup(physicalId) {
@@ -26992,8 +27285,31 @@ var RDSProvider = class {
         (id) => !!id
       );
     }
+    if (sg.DBSubnetGroupArn)
+      await this.attachTags(result, sg.DBSubnetGroupArn);
     return result;
   }
+  /**
+   * Fetch tags via `ListTagsForResource(ResourceName=arn)` and merge them
+   * into the result under `Tags` (CFn shape, `aws:*` filtered out, omitted
+   * when empty). Best-effort: tag-fetch failures are logged at debug and
+   * the key is simply left out — drift detection on configuration is more
+   * important than fail-closing on a missing tag permission.
+   */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand10({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `RDS ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   async importDBInstance(input) {
     const explicit = resolveExplicitPhysicalId(input, "DBInstanceIdentifier");
     if (explicit) {
@@ -27770,10 +28086,11 @@ var Route53Provider = class {
    *
    * Dispatch per resource type:
    *  - `HostedZone` → `GetHostedZone` (Name, HostedZoneConfig{Comment,
-   *    PrivateZone}, VPCs from `VPCs[]`). Tags are skipped (CDK auto-tag
-   *    handling deferred); QueryLoggingConfig is skipped because it's a
-   *    separate `ListQueryLoggingConfigs` call and the v1 surface does
-   *    not surface it.
+   *    PrivateZone}, VPCs from `VPCs[]`, HostedZoneTags via
+   *    `ListTagsForResource(ResourceType=hostedzone, ResourceId=<idTail>)`
+   *    with `aws:*` filtered out and the key omitted when empty).
+   *    QueryLoggingConfig is skipped because it's a separate
+   *    `ListQueryLoggingConfigs` call and the v1 surface does not surface it.
    *  - `RecordSet` → `ListResourceRecordSets` filtered to the exact
    *    `(name, type)` pair from the composite physicalId
    *    (`{zoneId}|{name}|{type}`). Surfaces TTL, ResourceRecords (with
@@ -27828,6 +28145,19 @@ var Route53Provider = class {
         return out;
       });
     }
+    const idTail = physicalId.replace(/^\/hostedzone\//, "");
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand11({ ResourceType: "hostedzone", ResourceId: idTail })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagSet?.Tags);
+      if (tags.length > 0)
+        result["HostedZoneTags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `Route53 ListTagsForResource(${idTail}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async readRecordSet(physicalId) {
@@ -28207,7 +28537,9 @@ var WAFv2WebACLProvider = class {
    * and AssociationConfig — every key cdkd state declares as
    * `handledProperties`. `Scope` is recovered from the ARN parse.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceARN)`
+   * call. CDK's `aws:*` auto-tags are filtered out and the result key is
+   * omitted when AWS reports no user tags. Returns `undefined`
    * when the ARN can't be parsed or the WebACL is gone
    * (`WAFNonexistentItemException`).
    */
@@ -28264,6 +28596,18 @@ var WAFv2WebACLProvider = class {
     if (webACL.AssociationConfig) {
       result["AssociationConfig"] = webACL.AssociationConfig;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand12({ ResourceARN: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagInfoForResource?.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `WAFv2 ListTagsForResource(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   /**
@@ -28671,9 +29015,10 @@ var CognitoUserPoolProvider = class {
    * `UserPoolClient`, `UserPoolGroup`, and other Cognito sub-resources go
    * through the CC API fallback (which has its own `readCurrentState`).
    *
-   * `UserPoolTags` is intentionally omitted (Cognito returns tags via a
-   * separate `ListTagsForResource` round-trip; auto-injected `aws:cdk:path`
-   * tag-shape question is out of scope here).
+   * `UserPoolTags` is surfaced from the same `DescribeUserPool` response —
+   * Cognito's CFn property is a tag-name → value map (NOT an array of
+   * `{Key, Value}`), so we keep the map shape and just filter out CDK's
+   * `aws:*` auto-tags. The result key is omitted when no user tags remain.
    *
    * Returns `undefined` when the pool is gone (`ResourceNotFoundException`).
    */
@@ -28750,6 +29095,15 @@ var CognitoUserPoolProvider = class {
     if (pool.SmsVerificationMessage !== void 0) {
       result["SmsVerificationMessage"] = pool.SmsVerificationMessage;
     }
+    if (pool.UserPoolTags) {
+      const userTags = {};
+      for (const [k, v] of Object.entries(pool.UserPoolTags)) {
+        if (!k.startsWith("aws:"))
+          userTags[k] = v;
+      }
+      if (Object.keys(userTags).length > 0)
+        result["UserPoolTags"] = userTags;
+    }
     return result;
   }
   /**
@@ -29254,8 +29608,11 @@ var ElastiCacheProvider = class {
    *    surfacing `CacheSubnetGroupName`, `CacheSubnetGroupDescription`,
    *    and `SubnetIds` derived from `Subnets[].SubnetIdentifier`.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`*NotFoundFault`).
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceName=arn)`
+   * for both types (ARN derived from `cluster.ARN` / `group.ARN`). CDK's
+   * `aws:*` auto-tags are filtered out and the result key is omitted when
+   * AWS reports no user tags. Returns `undefined` when the resource is gone
+   * (`*NotFoundFault`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -29335,6 +29692,8 @@ var ElastiCacheProvider = class {
       if (ids.length > 0)
         result["VpcSecurityGroupIds"] = ids;
     }
+    if (cluster.ARN)
+      await this.attachTags(result, cluster.ARN);
     return result;
   }
   async readSubnetGroup(physicalId) {
@@ -29363,8 +29722,25 @@ var ElastiCacheProvider = class {
       if (ids.length > 0)
         result["SubnetIds"] = ids;
     }
+    if (group.ARN)
+      await this.attachTags(result, group.ARN);
     return result;
   }
+  /** Best-effort tag fetch — failures omit the key without breaking the read. */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand14({ ResourceName: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.TagList);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ElastiCache ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   /**
    * Adopt an existing ElastiCache resource into cdkd state.
    *
@@ -29850,8 +30226,12 @@ var ServiceDiscoveryProvider = class {
    *  - `Service` → `GetService` (Name, NamespaceId, Description, Type,
    *    DnsConfig, HealthCheckConfig, HealthCheckCustomConfig).
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the resource is gone (`NamespaceNotFound` / `ServiceNotFound`).
+   * Tags are surfaced via a follow-up `ListTagsForResource(ResourceARN)`
+   * call (using the resource ARN from `GetNamespace.Arn` or
+   * `GetService.Arn`). CDK's `aws:*` auto-tags are filtered out and the
+   * result key is omitted when AWS reports no user tags. Returns
+   * `undefined` when the resource is gone (`NamespaceNotFound` /
+   * `ServiceNotFound`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
     switch (resourceType) {
@@ -29881,6 +30261,8 @@ var ServiceDiscoveryProvider = class {
     if (ns.Description !== void 0 && ns.Description !== "") {
       result["Description"] = ns.Description;
     }
+    if (ns.Arn)
+      await this.attachTags(result, ns.Arn);
     return result;
   }
   async readService(physicalId) {
@@ -29914,8 +30296,25 @@ var ServiceDiscoveryProvider = class {
     if (svc.HealthCheckCustomConfig) {
       result["HealthCheckCustomConfig"] = svc.HealthCheckCustomConfig;
     }
+    if (svc.Arn)
+      await this.attachTags(result, svc.Arn);
     return result;
   }
+  /** Best-effort tag fetch via `ListTagsForResource(ResourceARN)`. */
+  async attachTags(result, arn) {
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForResourceCommand15({ ResourceARN: arn })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      this.logger.debug(
+        `ServiceDiscovery ListTagsForResource(${arn}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
   async import(input) {
     switch (input.resourceType) {
       case "AWS::ServiceDiscovery::PrivateDnsNamespace":
@@ -30562,7 +30961,9 @@ var AppSyncProvider = class {
    *
    * Dispatches per resource type:
    *  - `GraphQLApi` → `GetGraphqlApi` (Name, AuthenticationType, XrayEnabled,
-   *    LogConfig). Tags are skipped (CDK auto-tag handling deferred).
+   *    LogConfig, Tags). Tags come from the same response (`tags` map);
+   *    CDK's `aws:*` auto-tags are filtered out and the result key is
+   *    omitted when no user tags remain.
    *  - `DataSource` → `GetDataSource` (Name, Type, Description,
    *    ServiceRoleArn, DynamoDBConfig, LambdaConfig, HttpConfig). The
    *    `ApiId` cdkd holds is recovered from the `apiId|name` physicalId.
@@ -30630,6 +31031,9 @@ var AppSyncProvider = class {
       if (Object.keys(log).length > 0)
         result["LogConfig"] = log;
     }
+    const tags = normalizeAwsTagsToCfn(api.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async readDataSource(physicalId) {
@@ -31875,9 +32279,11 @@ var KMSProvider = class {
    *     Surfaces `AliasName`, `TargetKeyId`. `ListAliases` is paginated
    *     since there's no direct "describe one alias" API.
    *
-   * `Tags` is intentionally omitted (separate `ListResourceTags` round-trip
-   * for keys; auto-injected `aws:cdk:path` tag-shape question is out of
-   * scope here). `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
+   * `Tags` is surfaced for `AWS::KMS::Key` via a follow-up
+   * `ListResourceTags(KeyId)` call (KMS uses `[{TagKey, TagValue}]` shape).
+   * CDK's `aws:*` auto-tags are filtered out; the result key is omitted
+   * entirely when AWS reports no user tags. `AWS::KMS::Alias` does not
+   * support tags. `BypassPolicyLockoutSafetyCheck` and `PendingWindowInDays`
    * are not part of the persisted AWS state visible via `DescribeKey`.
    *
    * Returns `undefined` when the resource is gone (`NotFoundException`).
@@ -31920,6 +32326,19 @@ var KMSProvider = class {
       result["MultiRegion"] = md.MultiRegion;
     if (md.Origin !== void 0)
       result["Origin"] = md.Origin;
+    if (md.KeyId) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListResourceTagsCommand({ KeyId: md.KeyId })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        if (err instanceof NotFoundException5)
+          return void 0;
+      }
+    }
     return result;
   }
   async readCurrentStateAlias(physicalId) {
@@ -32303,7 +32722,8 @@ var KinesisStreamProvider = class {
    *
    * Issues `DescribeStream` and surfaces the keys cdkd's `create()`
    * accepts: `Name`, `StreamModeDetails`, `ShardCount`, `RetentionPeriodHours`,
-   * and `StreamEncryption`. Tags are skipped (CDK auto-tag handling deferred).
+   * and `StreamEncryption`. Tags are surfaced via a follow-up
+   * `ListTagsForStream` with `aws:*` filtered out.
    *
    * `ShardCount` is reported as the count of `Shards[]` in the stream
    * description (only present for PROVISIONED-mode streams; ON_DEMAND
@@ -32352,6 +32772,20 @@ var KinesisStreamProvider = class {
         encryption["KeyId"] = stream.KeyId;
       result["StreamEncryption"] = encryption;
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForStreamCommand({ StreamName: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException13)
+        return void 0;
+      this.logger.debug(
+        `Kinesis ListTagsForStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async import(input) {
@@ -32864,7 +33298,12 @@ var EFSProvider = class {
    *  - `MountTarget` → `DescribeMountTargets` (FileSystemId, SubnetId).
    *    SecurityGroups requires a separate call and is omitted for v1.
    *
-   * Tags are skipped across all three (CDK auto-tag handling deferred).
+   * `FileSystemTags` (the CFn property name on `AWS::EFS::FileSystem`) is
+   * surfaced from the same `DescribeFileSystems` response — `aws:*`
+   * auto-tags filtered, key omitted when empty. `AccessPoint` and
+   * `MountTarget` are not surfaced for tags here (`AccessPointTags` would
+   * mirror this approach but the test scope below covers `FileSystem`
+   * only; further coverage can land in a follow-up).
    * Returns `undefined` when the resource is gone (`*NotFound`).
    */
   async readCurrentState(physicalId, _logicalId, resourceType) {
@@ -32941,6 +33380,9 @@ var EFSProvider = class {
       if (err instanceof FileSystemNotFound)
         return void 0;
     }
+    const tags = normalizeAwsTagsToCfn(fs.Tags);
+    if (tags.length > 0)
+      result["FileSystemTags"] = tags;
     return result;
   }
   async readAccessPoint(physicalId) {
@@ -33492,8 +33934,10 @@ var FirehoseProvider = class {
    * fields. Drift on destination contents is best chased manually via
    * `aws firehose describe-delivery-stream` for now.
    *
-   * Tags + DeliveryStreamEncryptionConfigurationInput are skipped (they
-   * each need separate calls / shape decisions).
+   * Tags are surfaced via a follow-up `ListTagsForDeliveryStream` call
+   * with `aws:*` filtered out and the result key omitted when empty.
+   * `DeliveryStreamEncryptionConfigurationInput` is still skipped (shape
+   * decision deferred).
    *
    * Returns `undefined` when the stream is gone (`ResourceNotFoundException`).
    */
@@ -33529,6 +33973,20 @@ var FirehoseProvider = class {
         result["KinesisStreamSourceConfiguration"] = srcOut;
       }
     }
+    try {
+      const tagsResp = await this.getClient().send(
+        new ListTagsForDeliveryStreamCommand({ DeliveryStreamName: physicalId })
+      );
+      const tags = normalizeAwsTagsToCfn(tagsResp.Tags);
+      if (tags.length > 0)
+        result["Tags"] = tags;
+    } catch (err) {
+      if (err instanceof ResourceNotFoundException14)
+        return void 0;
+      this.logger.debug(
+        `Firehose ListTagsForDeliveryStream(${physicalId}) failed: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
     return result;
   }
   async import(input) {
@@ -33864,8 +34322,13 @@ var CloudTrailProvider = class {
    * derived field; the cdkd state property is `SnsTopicName` so we
    * surface `SnsTopicName` directly from `GetTrail.SnsTopicName`.
    *
-   * Tags + InsightSelectors are skipped for v1 (each needs its own
-   * separate call + shape mapping).
+   * Tags are surfaced via a follow-up `ListTags(ResourceIdList=[arn])` call
+   * (using the trail ARN from the same `GetTrail` response). CDK's `aws:*`
+   * auto-tags are filtered out and the result key is omitted when AWS
+   * reports no user tags.
+   *
+   * `InsightSelectors` is skipped for v1 (separate call + shape mapping
+   * still TBD).
    *
    * Returns `undefined` when the trail is gone (`TrailNotFoundException`).
    */
@@ -33927,6 +34390,20 @@ var CloudTrailProvider = class {
       }
     } catch {
     }
+    if (trail.TrailARN) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListTagsCommand3({ ResourceIdList: [trail.TrailARN] })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.ResourceTagList?.[0]?.TagsList);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        this.logger.debug(
+          `CloudTrail ListTags(${trail.TrailARN}) failed: ${err instanceof Error ? err.message : String(err)}`
+        );
+      }
+    }
     return result;
   }
   async import(input) {
@@ -34259,8 +34736,12 @@ var CodeBuildProvider = class {
    * is left to a follow-up — surfacing them with a partial shape would
    * fire false drift on every project that uses them.
    *
-   * Tags are skipped (CDK auto-tag handling deferred). Returns `undefined`
-   * when the project is gone (`projects` array empty / `projectsNotFound` set).
+   * Tags are surfaced from the same `BatchGetProjects` response (CodeBuild
+   * uses lower-case `key`/`value` shape; `normalizeAwsTagsToCfn` re-shapes
+   * to CFn `[{Key, Value}]`). CDK's `aws:*` auto-tags are filtered out
+   * and the result key is omitted when AWS reports no user tags. Returns
+   * `undefined` when the project is gone (`projects` array empty /
+   * `projectsNotFound` set).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
     let project;
@@ -34379,6 +34860,9 @@ var CodeBuildProvider = class {
       if (Object.keys(env).length > 0)
         result["Environment"] = env;
     }
+    const tags = normalizeAwsTagsToCfn(project.tags);
+    if (tags.length > 0)
+      result["Tags"] = tags;
     return result;
   }
   async import(input) {
@@ -35907,11 +36391,14 @@ var ECRProvider = class {
    *     round-trip; cdkd state holds the policy as either a string or an
    *     object (depending on user input), and the comparator round-trip
    *     is not yet handled here.
-   *   - `Tags`: requires `ListTagsForResource`; auto-injected
-   *     `aws:cdk:path` tag-shape question is out of scope.
    *   - `EmptyOnDelete` / `ImageTagMutabilityExclusionFilters`: not part
    *     of the persisted AWS state visible via standard Describe.
    *
+   * `Tags` is surfaced via a follow-up `ListTagsForResource(arn)` call
+   * (using the repository ARN that `DescribeRepositories` returns). CDK's
+   * `aws:*` auto-tags are filtered out; the result key is omitted entirely
+   * when AWS reports no user tags.
+   *
    * Returns `undefined` when the repository is gone (`RepositoryNotFoundException`).
    */
   async readCurrentState(physicalId, _logicalId, _resourceType) {
@@ -35964,6 +36451,19 @@ var ECRProvider = class {
         throw err;
       }
     }
+    if (r.repositoryArn) {
+      try {
+        const tagsResp = await this.getClient().send(
+          new ListTagsForResourceCommand18({ resourceArn: r.repositoryArn })
+        );
+        const tags = normalizeAwsTagsToCfn(tagsResp.tags);
+        if (tags.length > 0)
+          result["Tags"] = tags;
+      } catch (err) {
+        if (!(err instanceof RepositoryNotFoundException))
+          throw err;
+      }
+    }
     return result;
   }
   /**
@@ -38086,19 +38586,34 @@ import { Command as Command6, Option as Option3 } from "commander";
 init_aws_clients();
 
 // src/analyzer/drift-calculator.ts
-function calculateResourceDrift(stateProperties, awsProperties) {
+function calculateResourceDrift(stateProperties, awsProperties, options) {
   const drifts = [];
+  const ignore = options?.ignorePaths ?? [];
   for (const key of Object.keys(stateProperties)) {
-    diffAt(key, stateProperties[key], awsProperties[key], drifts);
+    if (isIgnoredPath(key, ignore))
+      continue;
+    diffAt(key, stateProperties[key], awsProperties[key], drifts, ignore);
   }
   return drifts;
 }
-function diffAt(path, stateValue, awsValue, out) {
+function isIgnoredPath(path, ignorePaths) {
+  for (const entry of ignorePaths) {
+    if (path === entry)
+      return true;
+    if (path.startsWith(`${entry}.`))
+      return true;
+  }
+  return false;
+}
+function diffAt(path, stateValue, awsValue, out, ignorePaths) {
   if (deepEqual(stateValue, awsValue))
     return;
   if (isPlainObject(stateValue) && isPlainObject(awsValue) && !Array.isArray(stateValue) && !Array.isArray(awsValue)) {
     for (const key of Object.keys(stateValue)) {
-      diffAt(`${path}.${key}`, stateValue[key], awsValue[key], out);
+      const childPath = `${path}.${key}`;
+      if (isIgnoredPath(childPath, ignorePaths))
+        continue;
+      diffAt(childPath, stateValue[key], awsValue[key], out, ignorePaths);
     }
     return;
   }
@@ -38276,9 +38791,6 @@ async function driftCommand(stacks, options) {
     logger.setLevel("debug");
   }
   warnIfDeprecatedRegion(options);
-  if (!options.all && stacks.length === 0) {
-    throw new Error("Stack name is required. Usage: cdkd drift <stack> [<stack>...] | --all");
-  }
   if (options.accept && options.revert) {
     throw new Error(
       "--accept and --revert are mutually exclusive. Use --accept to update cdkd state from AWS, or --revert to push cdkd state values back into AWS."
@@ -38359,6 +38871,21 @@ function resolveTargetRefs(stacks, stateRefs, options) {
     }
     return stateRefs;
   }
+  if (stacks.length === 0) {
+    const candidates = options.stackRegion ? stateRefs.filter((r) => r.region === options.stackRegion) : stateRefs;
+    if (candidates.length === 0) {
+      throw new Error(
+        "No stacks found in state bucket. Run `cdkd deploy` first, or pass --all explicitly."
+      );
+    }
+    if (candidates.length === 1) {
+      return [candidates[0]];
+    }
+    const listing = candidates.map((r) => `${r.stackName}${r.region ? ` (${r.region})` : ""}`).join(", ");
+    throw new Error(
+      `Multiple stacks found in state: ${listing}. Specify stack name(s) or use --all.`
+    );
+  }
   const out = [];
   for (const stackName of stacks) {
     const matches = stateRefs.filter((r) => r.stackName === stackName);
@@ -38456,7 +38983,8 @@ async function runDriftForStack(stackName, region, stateBackend, providerRegistr
         });
         continue;
       }
-      const changes = calculateResourceDrift(resource.properties ?? {}, aws);
+      const ignorePaths = provider.getDriftUnknownPaths ? provider.getDriftUnknownPaths(resource.resourceType) : [];
+      const changes = calculateResourceDrift(resource.properties ?? {}, aws, { ignorePaths });
       if (changes.length === 0) {
         outcomes.push({ kind: "clean", logicalId, resourceType: resource.resourceType });
       } else {
@@ -42003,7 +42531,7 @@ function reorderArgs(argv) {
 }
 async function main() {
   const program = new Command14();
-  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.45.0");
+  program.name("cdkd").description("CDK Direct - Deploy AWS CDK apps directly via SDK/Cloud Control API").version("0.46.1");
   program.addCommand(createBootstrapCommand());
   program.addCommand(createSynthCommand());
   program.addCommand(createListCommand());